diff --git a/src/go.mod b/src/go.mod
index 6d354b2..6366b38 100644
--- a/src/go.mod
+++ b/src/go.mod
@@ -14,6 +14,7 @@ require (
github.com/gorilla/sessions v1.2.2
github.com/gorilla/websocket v1.5.1
github.com/grandcat/zeroconf v1.0.0
+ github.com/jellydator/ttlcache/v3 v3.4.0
github.com/likexian/whois v1.15.1
github.com/microcosm-cc/bluemonday v1.0.26
github.com/monperrus/crawler-user-agents v1.1.0
diff --git a/src/go.sum b/src/go.sum
index dd2019c..2ce1488 100644
--- a/src/go.sum
+++ b/src/go.sum
@@ -445,6 +445,8 @@ github.com/infobloxopen/infoblox-go-client/v2 v2.10.0/go.mod h1:NeNJpz09efw/edzq
github.com/jarcoal/httpmock v1.0.8/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik=
github.com/jarcoal/httpmock v1.4.0 h1:BvhqnH0JAYbNudL2GMJKgOHe2CtKlzJ/5rWKyp+hc2k=
github.com/jarcoal/httpmock v1.4.0/go.mod h1:ftW1xULwo+j0R0JJkJIIi7UKigZUXCLLanykgjwBXL0=
+github.com/jellydator/ttlcache/v3 v3.4.0 h1:YS4P125qQS0tNhtL6aeYkheEaB/m8HCqdMMP4mnWdTY=
+github.com/jellydator/ttlcache/v3 v3.4.0/go.mod h1:Hw9EgjymziQD3yGsQdf1FqFdpp7YjFMd4Srg5EJlgD4=
github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
diff --git a/src/mod/auth/sso/oauth2/oauth2.go b/src/mod/auth/sso/oauth2/oauth2.go
index e06aec7..4108ce2 100644
--- a/src/mod/auth/sso/oauth2/oauth2.go
+++ b/src/mod/auth/sso/oauth2/oauth2.go
@@ -7,23 +7,33 @@ import (
"net/http"
"net/url"
"strings"
+ "time"
+ "github.com/jellydator/ttlcache/v3"
"golang.org/x/oauth2"
"imuslab.com/zoraxy/mod/database"
"imuslab.com/zoraxy/mod/info/logger"
"imuslab.com/zoraxy/mod/utils"
)
+const (
+ // DefaultOAuth2ConfigCacheTime defines the default cache duration for OAuth2 configuration
+ DefaultOAuth2ConfigCacheTime = 60 * time.Second
+)
+
type OAuth2RouterOptions struct {
- OAuth2ServerURL string //The URL of the OAuth 2.0 server server
- OAuth2TokenURL string //The URL of the OAuth 2.0 token server
- OAuth2ClientId string //The client id for OAuth 2.0 Application
- OAuth2ClientSecret string //The client secret for OAuth 2.0 Application
- OAuth2WellKnownUrl string //The well-known url for OAuth 2.0 server
- OAuth2UserInfoUrl string //The URL of the OAuth 2.0 user info endpoint
- OAuth2Scopes string //The scopes for OAuth 2.0 Application
- Logger *logger.Logger
- Database *database.Database
+ OAuth2ServerURL string //The URL of the OAuth 2.0 server server
+ OAuth2TokenURL string //The URL of the OAuth 2.0 token server
+ OAuth2ClientId string //The client id for OAuth 2.0 Application
+ OAuth2ClientSecret string //The client secret for OAuth 2.0 Application
+ OAuth2WellKnownUrl string //The well-known url for OAuth 2.0 server
+ OAuth2UserInfoUrl string //The URL of the OAuth 2.0 user info endpoint
+ OAuth2Scopes string //The scopes for OAuth 2.0 Application
+ OAuth2CodeChallengeMethod string //The authorization code challenge method
+ OAuth2ConfigurationCacheTime *time.Duration
+ Logger *logger.Logger
+ Database *database.Database
+ OAuth2ConfigCache *ttlcache.Cache[string, *oauth2.Config]
}
type OIDCDiscoveryDocument struct {
@@ -57,11 +67,26 @@ func NewOAuth2Router(options *OAuth2RouterOptions) *OAuth2Router {
options.Database.Read("oauth2", "oauth2ClientId", &options.OAuth2ClientId)
options.Database.Read("oauth2", "oauth2ClientSecret", &options.OAuth2ClientSecret)
options.Database.Read("oauth2", "oauth2UserInfoUrl", &options.OAuth2UserInfoUrl)
+ options.Database.Read("oauth2", "oauth2CodeChallengeMethod", &options.OAuth2CodeChallengeMethod)
options.Database.Read("oauth2", "oauth2Scopes", &options.OAuth2Scopes)
+ options.Database.Read("oauth2", "oauth2ConfigurationCacheTime", &options.OAuth2ConfigurationCacheTime)
- return &OAuth2Router{
+ ar := &OAuth2Router{
options: options,
}
+
+ if options.OAuth2ConfigurationCacheTime == nil ||
+ options.OAuth2ConfigurationCacheTime.Seconds() == 0 {
+ cacheTime := DefaultOAuth2ConfigCacheTime
+ options.OAuth2ConfigurationCacheTime = &cacheTime
+ }
+
+ options.OAuth2ConfigCache = ttlcache.New[string, *oauth2.Config](
+ ttlcache.WithTTL[string, *oauth2.Config](*options.OAuth2ConfigurationCacheTime),
+ )
+ go options.OAuth2ConfigCache.Start()
+
+ return ar
}
// HandleSetOAuth2Settings is the internal handler for setting the OAuth URL and HTTPS
@@ -81,13 +106,15 @@ func (ar *OAuth2Router) HandleSetOAuth2Settings(w http.ResponseWriter, r *http.R
func (ar *OAuth2Router) handleSetOAuthSettingsGET(w http.ResponseWriter, r *http.Request) {
//Return the current settings
js, _ := json.Marshal(map[string]interface{}{
- "oauth2WellKnownUrl": ar.options.OAuth2WellKnownUrl,
- "oauth2ServerUrl": ar.options.OAuth2ServerURL,
- "oauth2TokenUrl": ar.options.OAuth2TokenURL,
- "oauth2UserInfoUrl": ar.options.OAuth2UserInfoUrl,
- "oauth2Scopes": ar.options.OAuth2Scopes,
- "oauth2ClientSecret": ar.options.OAuth2ClientSecret,
- "oauth2ClientId": ar.options.OAuth2ClientId,
+ "oauth2WellKnownUrl": ar.options.OAuth2WellKnownUrl,
+ "oauth2ServerUrl": ar.options.OAuth2ServerURL,
+ "oauth2TokenUrl": ar.options.OAuth2TokenURL,
+ "oauth2UserInfoUrl": ar.options.OAuth2UserInfoUrl,
+ "oauth2Scopes": ar.options.OAuth2Scopes,
+ "oauth2ClientSecret": ar.options.OAuth2ClientSecret,
+ "oauth2ClientId": ar.options.OAuth2ClientId,
+ "oauth2CodeChallengeMethod": ar.options.OAuth2CodeChallengeMethod,
+ "oauth2ConfigurationCacheTime": ar.options.OAuth2ConfigurationCacheTime.String(),
})
utils.SendJSONResponse(w, string(js))
@@ -95,7 +122,8 @@ func (ar *OAuth2Router) handleSetOAuthSettingsGET(w http.ResponseWriter, r *http
func (ar *OAuth2Router) handleSetOAuthSettingsPOST(w http.ResponseWriter, r *http.Request) {
//Update the settings
- var oauth2ServerUrl, oauth2TokenURL, oauth2Scopes, oauth2UserInfoUrl string
+ var oauth2ServerUrl, oauth2TokenURL, oauth2Scopes, oauth2UserInfoUrl, oauth2CodeChallengeMethod string
+ var oauth2ConfigurationCacheTime *time.Duration
oauth2ClientId, err := utils.PostPara(r, "oauth2ClientId")
if err != nil {
@@ -109,8 +137,20 @@ func (ar *OAuth2Router) handleSetOAuthSettingsPOST(w http.ResponseWriter, r *htt
return
}
- oauth2WellKnownUrl, err := utils.PostPara(r, "oauth2WellKnownUrl")
+ oauth2CodeChallengeMethod, err = utils.PostPara(r, "oauth2CodeChallengeMethod")
if err != nil {
+ utils.SendErrorResponse(w, "oauth2CodeChallengeMethod not found")
+ return
+ }
+
+ oauth2ConfigurationCacheTime, err = utils.PostDuration(r, "oauth2ConfigurationCacheTime")
+ if err != nil {
+ utils.SendErrorResponse(w, "oauth2ConfigurationCacheTime not found")
+ return
+ }
+
+ oauth2WellKnownUrl, err := utils.PostPara(r, "oauth2WellKnownUrl")
+ if err != nil || oauth2WellKnownUrl == "" {
oauth2ServerUrl, err = utils.PostPara(r, "oauth2ServerUrl")
if err != nil {
utils.SendErrorResponse(w, "oauth2ServerUrl not found")
@@ -146,6 +186,8 @@ func (ar *OAuth2Router) handleSetOAuthSettingsPOST(w http.ResponseWriter, r *htt
ar.options.OAuth2ClientId = oauth2ClientId
ar.options.OAuth2ClientSecret = oauth2ClientSecret
ar.options.OAuth2Scopes = oauth2Scopes
+ ar.options.OAuth2CodeChallengeMethod = oauth2CodeChallengeMethod
+ ar.options.OAuth2ConfigurationCacheTime = oauth2ConfigurationCacheTime
//Write changes to database
ar.options.Database.Write("oauth2", "oauth2WellKnownUrl", oauth2WellKnownUrl)
@@ -155,6 +197,11 @@ func (ar *OAuth2Router) handleSetOAuthSettingsPOST(w http.ResponseWriter, r *htt
ar.options.Database.Write("oauth2", "oauth2ClientId", oauth2ClientId)
ar.options.Database.Write("oauth2", "oauth2ClientSecret", oauth2ClientSecret)
ar.options.Database.Write("oauth2", "oauth2Scopes", oauth2Scopes)
+ ar.options.Database.Write("oauth2", "oauth2CodeChallengeMethod", oauth2CodeChallengeMethod)
+ ar.options.Database.Write("oauth2", "oauth2ConfigurationCacheTime", oauth2ConfigurationCacheTime)
+
+ // Flush caches
+ ar.options.OAuth2ConfigCache.DeleteAll()
utils.SendOK(w)
}
@@ -167,6 +214,7 @@ func (ar *OAuth2Router) handleSetOAuthSettingsDELETE(w http.ResponseWriter, r *h
ar.options.OAuth2ClientId = ""
ar.options.OAuth2ClientSecret = ""
ar.options.OAuth2Scopes = ""
+ ar.options.OAuth2CodeChallengeMethod = ""
ar.options.Database.Delete("oauth2", "oauth2WellKnownUrl")
ar.options.Database.Delete("oauth2", "oauth2ServerUrl")
@@ -175,6 +223,8 @@ func (ar *OAuth2Router) handleSetOAuthSettingsDELETE(w http.ResponseWriter, r *h
ar.options.Database.Delete("oauth2", "oauth2ClientId")
ar.options.Database.Delete("oauth2", "oauth2ClientSecret")
ar.options.Database.Delete("oauth2", "oauth2Scopes")
+ ar.options.Database.Delete("oauth2", "oauth2CodeChallengeMethod")
+ ar.options.Database.Delete("oauth2", "oauth2ConfigurationCacheTime")
utils.SendOK(w)
}
@@ -189,12 +239,10 @@ func (ar *OAuth2Router) fetchOAuth2Configuration(config *oauth2.Config) (*oauth2
return nil, err
} else {
defer resp.Body.Close()
-
oidcDiscoveryDocument := OIDCDiscoveryDocument{}
if err := json.NewDecoder(resp.Body).Decode(&oidcDiscoveryDocument); err != nil {
return nil, err
}
-
if len(config.Scopes) == 0 {
config.Scopes = oidcDiscoveryDocument.ScopesSupported
}
@@ -241,14 +289,24 @@ func (ar *OAuth2Router) newOAuth2Conf(redirectUrl string) (*oauth2.Config, error
func (ar *OAuth2Router) HandleOAuth2Auth(w http.ResponseWriter, r *http.Request) error {
const callbackPrefix = "/internal/oauth2"
const tokenCookie = "z-token"
+ const verifierCookie = "z-verifier"
scheme := "http"
if r.TLS != nil {
scheme = "https"
}
+
reqUrl := scheme + "://" + r.Host + r.RequestURI
- oauthConfig, err := ar.newOAuth2Conf(scheme + "://" + r.Host + callbackPrefix)
- if err != nil {
- ar.options.Logger.PrintAndLog("OAuth2Router", "Failed to fetch OIDC configuration:", err)
+ oauthConfigCache, _ := ar.options.OAuth2ConfigCache.GetOrSetFunc(r.Host, func() *oauth2.Config {
+ oauthConfig, err := ar.newOAuth2Conf(scheme + "://" + r.Host + callbackPrefix)
+ if err != nil {
+ ar.options.Logger.PrintAndLog("OAuth2Router", "Failed to fetch OIDC configuration:", err)
+ return nil
+ }
+ return oauthConfig
+ })
+
+ oauthConfig := oauthConfigCache.Value()
+ if oauthConfig == nil {
w.WriteHeader(500)
return errors.New("failed to fetch OIDC configuration")
}
@@ -263,26 +321,48 @@ func (ar *OAuth2Router) HandleOAuth2Auth(w http.ResponseWriter, r *http.Request)
state := r.URL.Query().Get("state")
if r.Method == http.MethodGet && strings.HasPrefix(r.RequestURI, callbackPrefix) && code != "" && state != "" {
ctx := context.Background()
- token, err := oauthConfig.Exchange(ctx, code)
+ var authCodeOptions []oauth2.AuthCodeOption
+ if ar.options.OAuth2CodeChallengeMethod == "PKCE" || ar.options.OAuth2CodeChallengeMethod == "PKCE_S256" {
+ verifierCookie, err := r.Cookie(verifierCookie)
+ if err != nil || verifierCookie.Value == "" {
+ ar.options.Logger.PrintAndLog("OAuth2Router", "Read OAuth2 verifier cookie failed", err)
+ w.WriteHeader(401)
+ return errors.New("unauthorized")
+ }
+ authCodeOptions = append(authCodeOptions, oauth2.VerifierOption(verifierCookie.Value))
+ }
+ token, err := oauthConfig.Exchange(ctx, code, authCodeOptions...)
if err != nil {
ar.options.Logger.PrintAndLog("OAuth2", "Token exchange failed", err)
w.WriteHeader(401)
return errors.New("unauthorized")
}
-
if !token.Valid() {
ar.options.Logger.PrintAndLog("OAuth2", "Invalid token", err)
w.WriteHeader(401)
return errors.New("unauthorized")
}
- cookie := http.Cookie{Name: tokenCookie, Value: token.AccessToken, Path: "/"}
+ cookieExpiry := token.Expiry
+ if cookieExpiry.IsZero() || cookieExpiry.Before(time.Now()) {
+ cookieExpiry = time.Now().Add(time.Hour)
+ }
+ cookie := http.Cookie{Name: tokenCookie, Value: token.AccessToken, Path: "/", Expires: cookieExpiry}
if scheme == "https" {
cookie.Secure = true
cookie.SameSite = http.SameSiteLaxMode
}
w.Header().Add("Set-Cookie", cookie.String())
+ if ar.options.OAuth2CodeChallengeMethod == "PKCE" || ar.options.OAuth2CodeChallengeMethod == "PKCE_S256" {
+ cookie := http.Cookie{Name: verifierCookie, Value: "", Path: "/", Expires: time.Now().Add(-time.Hour * 1)}
+ if scheme == "https" {
+ cookie.Secure = true
+ cookie.SameSite = http.SameSiteLaxMode
+ }
+ w.Header().Add("Set-Cookie", cookie.String())
+ }
+
//Fix for #695
location := strings.TrimPrefix(state, "/internal/")
//Check if the location starts with http:// or https://. if yes, this is full URL
@@ -321,7 +401,25 @@ func (ar *OAuth2Router) HandleOAuth2Auth(w http.ResponseWriter, r *http.Request)
}
if unauthorized {
state := url.QueryEscape(reqUrl)
- url := oauthConfig.AuthCodeURL(state, oauth2.AccessTypeOffline)
+ var url string
+ if ar.options.OAuth2CodeChallengeMethod == "PKCE" || ar.options.OAuth2CodeChallengeMethod == "PKCE_S256" {
+ cookie := http.Cookie{Name: verifierCookie, Value: oauth2.GenerateVerifier(), Path: "/", Expires: time.Now().Add(time.Hour * 1)}
+ if scheme == "https" {
+ cookie.Secure = true
+ cookie.SameSite = http.SameSiteLaxMode
+ }
+
+ w.Header().Add("Set-Cookie", cookie.String())
+
+ if ar.options.OAuth2CodeChallengeMethod == "PKCE" {
+ url = oauthConfig.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("code_challenge", cookie.Value))
+ } else {
+ url = oauthConfig.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(cookie.Value))
+ }
+ } else {
+ url = oauthConfig.AuthCodeURL(state, oauth2.AccessTypeOffline)
+ }
+
http.Redirect(w, r, url, http.StatusFound)
return errors.New("unauthorized")
diff --git a/src/mod/utils/utils.go b/src/mod/utils/utils.go
index 21d2e40..344df34 100644
--- a/src/mod/utils/utils.go
+++ b/src/mod/utils/utils.go
@@ -81,6 +81,26 @@ func PostPara(r *http.Request, key string) (string, error) {
return x, nil
}
+// Get POST parameter as time.Duration
+func PostDuration(r *http.Request, key string) (*time.Duration, error) {
+ // Try to parse the form
+ if err := r.ParseForm(); err != nil {
+ return nil, err
+ }
+ // Get first value from the form
+ x := r.Form.Get(key)
+ if len(x) == 0 {
+ return nil, errors.New("invalid " + key + " given")
+ }
+
+ duration, err := time.ParseDuration(x)
+
+ if err != nil {
+ return nil, errors.Join(errors.New("invalid "+key+" duration"), err)
+ }
+ return &duration, nil
+}
+
// Get POST paramter as boolean, accept 1 or true
func PostBool(r *http.Request, key string) (bool, error) {
x, err := PostPara(r, key)
diff --git a/src/web/components/sso.html b/src/web/components/sso.html
index 7271844..0c7d9d0 100644
--- a/src/web/components/sso.html
+++ b/src/web/components/sso.html
@@ -109,6 +109,26 @@
Secret key of the OAuth2 application
+
+
+
+
+
+
+
Plain
+
+
Plain
+
PKCE
+
PKCE (S256)
+
+
+ Options:
+ Plain: No code challenge is used.
+ PKCE: Uses a code challenge for added security.
+ PKCE (S256): Uses a hashed code challenge (SHA-256) for maximum protection.
+ Note: PKCE (especially S256) is recommended for better security.
+
+
@@ -138,6 +158,13 @@
Scopes required by the OAuth2 provider to retrieve information about the authenticated user. Refer to your OAuth2 provider documentation for more information about this. Optional if Well-Known url is configured.
+
+
+
+
+ Time to cache OAuth2 configuration before refresh. Accepts Go time.Duration format (e.g. 1m, 10m, 1h). Defaults to 60s.
+